Health information privacy in the United States is governed by a layered system of federal and state laws, with HIPAA as the centerpiece but far from the only protection. The framework has expanded significantly since HIPAA’s passage in 1996, adding breach notification requirements, genetic data protections, substance use record safeguards, and state laws that cover health data HIPAA never touches.
HIPAA: The Core Federal Law
The Health Insurance Portability and Accountability Act applies to three categories of organizations, known as “covered entities”: health care providers (doctors, clinics, pharmacies, nursing homes, psychologists, dentists, chiropractors), health plans (insurance companies, HMOs, employer health plans, Medicare, Medicaid, and military and veterans programs), and health care clearinghouses (organizations that process health information into standardized formats). A critical detail: health care providers are only covered if they transmit information electronically in connection with standard transactions. A provider who operates entirely on paper falls outside HIPAA’s reach.
When covered entities hire outside companies to handle health data, those companies become “business associates” and must sign a written contract agreeing to follow the same privacy and security rules. Business associates are directly liable for certain HIPAA violations, not just contractually responsible.
What Counts as Protected Health Information
HIPAA protects “protected health information,” or PHI, which is any health data that can be linked to a specific person. The law identifies 18 categories of identifiers that make health data protected: names, addresses smaller than a state, dates related to the individual (except year), phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, vehicle identifiers, device serial numbers, web URLs, IP addresses, biometric data like fingerprints and voiceprints, full-face photographs, and any other unique identifying number or code.
To strip data of its protected status, all 18 identifiers must be removed, and the organization must have no actual knowledge that the remaining information could identify someone. Even dates require careful handling: all date elements except year must be removed for dates tied to an individual, and anyone over age 89 must be grouped into a single “90 or older” category.
Your Right to Access Your Records
HIPAA gives you the right to request copies of your health information from any covered entity that maintains it. The entity must respond within 30 calendar days. If the records are archived offsite or otherwise hard to retrieve, the entity can extend that deadline by one additional 30-day period, but only if it notifies you in writing during the first 30 days explaining the delay and providing a new completion date. Only one extension is allowed per request.
A covered entity can require that you submit your request in writing, but it has to tell you about that requirement. It also must take reasonable steps to verify your identity before releasing records. If your request is denied, in whole or in part, the denial must come in writing, in plain language, and must explain the reason, your right to have the decision reviewed, and how to file a complaint with the organization or with the HHS Office for Civil Rights.
The HITECH Act and Breach Notification
Passed in 2009, the Health Information Technology for Economic and Clinical Health Act modernized HIPAA for the digital age. Its most significant contribution is the breach notification requirement: when a data breach exposes unsecured health information, covered entities must promptly notify every affected individual. If a breach affects more than 500 people, the entity must also notify the HHS Secretary and the media. Smaller breaches, those affecting fewer than 500 individuals, are reported to HHS on an annual basis.
Business associates that experience a breach must notify the covered entity, which then handles notifications to individuals. There is one important escape valve: if the breached data was properly encrypted or destroyed using methods specified by HHS, no notification is required because the information is considered unreadable to unauthorized individuals.
Genetic Information Protections Under GINA
The Genetic Information Nondiscrimination Act specifically targets two areas where genetic data could be weaponized against you: health insurance and employment. Health insurers cannot require you to take a genetic test, cannot ask you to disclose genetic information for underwriting, and cannot use genetic results to determine your eligibility or set your premiums. On the employment side, employers cannot require genetic testing, cannot ask for your genetic information, and cannot use it in decisions about hiring, firing, promotions, or job assignments.
Substance Use Disorder Records
Records from substance use disorder treatment receive stronger protections than standard medical records under a federal regulation known as 42 CFR Part 2. The most significant difference is the restriction on legal proceedings: these records cannot be used to investigate or prosecute a patient without the patient’s written consent or a specific court order. This is more stringent than HIPAA’s standard, which allows broader disclosures for certain legal and administrative purposes.
Recent updates to this regulation created a new category of “SUD counseling notes,” similar in concept to psychotherapy notes. These are a clinician’s personal analysis of a counseling session, kept separately from the rest of the patient’s record, and they require their own specific consent before being shared. A patient’s consent to disclose treatment records for legal proceedings must also be kept separate from consent for any other type of disclosure, preventing organizations from bundling permissions together.
Reproductive Health Care Privacy
In April 2024, HHS finalized a rule adding new protections for reproductive health care information. The rule was designed to prohibit covered entities from disclosing PHI for the purpose of investigating or imposing liability on someone for seeking, obtaining, providing, or facilitating lawful reproductive health care. It included a presumption that reproductive health care provided by someone other than the entity receiving the disclosure request was lawful, unless the entity had actual knowledge otherwise or received factual information demonstrating a substantial basis that the care was unlawful.
However, in June 2025, a federal district court in Texas vacated most of this rule, declaring it unlawful. Some modifications to the Notice of Privacy Practices requirements survived the ruling and remain in effect, with a compliance deadline of February 16, 2026, but the core reproductive health care protections were struck down.
Health Data That Falls Outside HIPAA
One of the most important gaps in the framework is that HIPAA only applies to covered entities and their business associates. Health data collected by fitness trackers, wellness apps, consumer genetic testing services, and health-related websites typically falls entirely outside HIPAA. Privacy experts have estimated that the majority of health-related data may sit outside HIPAA’s scope.
The Federal Trade Commission partially fills this gap through the Health Breach Notification Rule, which applies to vendors of personal health records and related entities that are not covered by HIPAA. These companies must notify consumers when a breach exposes their unsecured health information, and breaches affecting 500 or more people trigger a media notification requirement. The FTC has actively warned health app and connected device companies that they must comply with this rule.
State privacy laws provide another layer. The California Privacy Rights Act, for instance, generally exempts HIPAA-covered data from its requirements, but its exemptions operate at the data level rather than the entity level. This means a health care provider might still have CPRA obligations for data it collects that doesn’t qualify as HIPAA-protected health information, such as information gathered through a website about people who aren’t patients. Virginia’s privacy law takes the broadest approach to HIPAA exemptions, exempting both covered entities entirely and multiple categories of health-related data. Colorado, Connecticut, and Utah have also enacted comprehensive privacy laws that can cover health data in the gaps HIPAA leaves open.
Enforcement and Penalties
The HHS Office for Civil Rights enforces HIPAA through a four-tier penalty structure based on the violator’s level of culpability. As of 2025, the tiers reflect inflation adjustments published in the Federal Register:
- Tier 1, Did Not Know: $145 to $36,506 per violation, with an annual cap of $36,506
- Tier 2, Reasonable Cause: $1,461 to $73,011 per violation, capped at $146,053 per year
- Tier 3, Willful Neglect, Corrected Within 30 Days: $14,602 to $73,011 per violation, capped at $365,052 per year
- Tier 4, Willful Neglect, Not Corrected: $73,011 to $2,190,294 per violation, with an annual cap of $2,190,294
These amounts reflect a 2019 enforcement discretion decision by OCR that reduced penalties in three of the four tiers from earlier, higher maximums. The reduction acknowledged that the original statutory language had been interpreted too broadly. Each penalty violation is counted separately, so a single breach affecting thousands of records can result in penalties that multiply quickly across the tier structure.